FreeRADIUS EAP-TLS and SSL certificate chains

Meyers, Dan d.meyers at
Tue Feb 17 18:47:49 CET 2009

> >I've actually dropped the -crl_check from this test, as i'm not doing
> >crl checking within FreeRADIUS until i've got it working without it.
> >Also, this command didn't seem to work when my verisign.pem contained
> >
> >1 cert, even after a c_rehash, it only worked if all the certs were
> >individual files:
> >
> >jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -
> CApath
> >.. jrs-radius02.pem
> >jrs-radius02.pem: OK
> >
> What?
> openssl verify -CAfile verisign.pem jrs-radius02.pem
> isn't working? Then something is wrong with your chain file. Check
> you are using the correct root certificate and cat certificates again
> in
> a new bundle.

OK, got this bit sorted, which was me being a tool. I was using vim, and
hadn't noticed one file was being opened in dos mode and the other in
unix. As soon as I catted them together instead of copy-pasting between
terminals I saw that the root block was ending lines with ^M. Converted
that to unix format, re-catted the two into my ca pem file, and openssl
is now happy with a file containing multiple certs and validates the

My client is still giving the same behaviour of not getting the
certificate chain, however.

I did wonder if Windows was being daft, and resaved the ca file so all
certs within it were in dos format instead of unix. After another rehash
openssl still verified the chain fine, but my client is still not
playing ball.


More information about the Freeradius-Users mailing list